When a user is made part of security mechanisms, security solutions are critical. Regardless of the level of awareness, it is always necessary to reduce or minimise the possibility of an attack by using various security mechanisms and settings (additional security systems that will be more successful in detecting malicious files, mechanisms for detecting misleading e-mail messages, etc.). However, this only reduces the chances of an attack, it never full eliminates them.

In the event of such an attack, the weakest link in the chain is always the user, who either will or will not fall for the scam. It is therefore important to constantly and effectively inform users, thus greatly reducing the possibility that their reactions will be false in the event of an attack.

A good way of effectively notifying them is through actual “fire drills”, i.e. live tests. Live tests are significantly more successful than theoretical education. When an exercise/test is performed and the user realises, through their own example, they have been tricked, it will have a positive effect on their awareness. After the test, the user will also be significantly more alert to potential attacks.

A detailed written report consisting of two parts, which are presented in the form of a workshop:

• Management report
  It is a concise overview for executives, providing the basic cybersecurity information.
• Technical report
  This report, which is intended for the system administrator, contains important technical information about the test control points, i.e.: number of opened e-mails, number of clicks on a fake website, number of information actually entered on a fake website. It also contains statistical calculations for the entire group of users that have been included in the testing.

Phishing tests vary in terms of reactions we want to push the user into. There are four types of phishing tests available:

1. A Phishing test with a fake portal with the purpose of tricking the user into entering a username and password

The main purpose of this test is to teach users not to enter their usernames and passwords into any unknown portals.

2. A Phishing test using a Word/Excel attachment with the purpose of tricking the user into opening the attachment and activating a macro functionality

The main purpose of this test is to teach users not to open attachments of unknown origin and not to ignore a Word’s warning about the danger of activating the macro functionalities.

3. A Phishing test with or without attachment with the purpose of tricking the user into an action that will create an undetected demo file at the user’s workstation and/or transfer this demo file from the workstation to our centre

The main purpose of this test is to teach users not to open emails of suspicious origin and/or not to click any unknown Internet connections or open files of unknown origin. By demonstrating the undetected creation of a demo file on a user’s workstation, the user can learn about the possible consequences of such behaviour “in real life”.

4. A Phishing test with or without an attachment with the purpose to test the entire attack in order to gain full control over the user’s workstation

The main purpose of this test is to teach users not to open emails of suspicious origin and/or not to click any unknown Internet connections or open files of unknown origin. Such an attack is in fact an attempt to acquire a full control of the workstation, thus simulating the actual attack to the user and, consequently, testing the adequacy of all other security mechanisms that could prevent such an attack (anti-virus system, intrusion prevention system etc.).

The test is performed in the following stages:

• Preparations
• Testing of the environment
• Test performance
• Report preparation

As part of the preparatory work, we consult with the customer on the adequate version of the phishing test and the group of users included in the test (unless particular reasons are involved, we suggest that all employees of the company be included in the test).

Based on this information, we prepare a proposal of the e-mail text and layout, set up a fake login portal or prepare the proposed content of the attachments. Roughly, all drafts are already in place based on our experience regarding the best suitability of texts and layouts, and are tailored to the client’s corporate image. Client’s further details and wishes are also taken into consideration.

At this stage, it is important that all elements are prepared meticulously and carefully. At the same time, we always leave enough clues for an attentive user to detect the trap and not fall for the attack. If the test is too detailed or if we do not allow users a proper chance to detect the attack, its educational impact is diminished. Users who fall for the simulated attack and realise they could have prevented it after the test has already been performed, will be much more receptive to the message of the test.

This stage is followed by environment testing with the purpose of:

• testing the robustness of the environment (we provide the client with information on how susceptible the environment is to detect the underlying phishing attacks on its own etc.).
• identifying the settings required for the test to be successful.

The test is then performed. The test lasts from one up to three days. Experience shows that measurements are most relevant when acquired over such time period.

The test is concluded with the presentation of a detailed written report.

Since the performance involves users, great care must be taken to protect the personal data and personal integrity of an individual.

We must be aware that the purpose of the test should not and cannot be to identify specific users who do not comply with security principles at a particular control point. This is important because the greatest benefit of the test is to raise user awareness that comes with the test per se. Adding the component of publicly exposing an individual eliminates all benefits of the test.

The technical implementation of testing keeps the collection of specific personal information to a minimum. In the event of a fake portal test, we do not record data (i.e. usernames and passwords) but merely the activity – whether the user inserts any information at all.

As a contractor, we make sure that:

• Data that might still pertain to specific users are not accessed by an unauthorised person, but only by direct test operators.
• All operators performing the test act in accordance with data protection rules and are bound by them both morally and in writing.
• Individual user data is permanently deleted after the test is completed, while reports and similar documents are stored in properly protected environments.

The best time to perform the review is RIGHT NOW. In fact, the need for user safety awareness is constant, so no specific reasons exist to restrict testing.

When thinking about the suitability/unfitness of a certain time slot, keep in mind the following:

• During a collective leave of absence or when most users are on vacation, it is not appropriate to perform the test.
• It is reasonable to carry out the test at the time of the introduction of new rules and policies.
• It is also reasonable to carry out the test before group meetings or trainings at the company, where you can then present fresh results to users and talk about them.

An important benefit of the test is the direct raise of user awareness. After the test, users will make sure to closely monitor the events and develop better reactions to similar attacks or tests in the future. In this respect, it makes sense to repeat the tests as often as possible.

On the other hand, various external factors (other projects, financial contribution, etc.) prevent the company from performing tests on a regular basis.

Practice shows that it is reasonable to carry them out at least once every 6 months or once every 12 months. In the event of repetitions, it makes sense to partially adjust the tests. Firstly, in order to prevent the users from finding out that they are, once again, participating in a test, and secondly, so that different aspects of awareness can be verified.

A comparison across tests is also important. After carrying out the test, companies perform specific activities intended to raise security awareness (internal training, additional security mechanisms, additional rules and security policies, etc.). A periodic comparison of test results gives the client an insight into the success/failure of the test and the implementation of all additional activities.